Car Hackers Return to Black Hat to Reveal New Flaws

Researchers Miller and Valasek continue to find risks in connected cars. Secure technology, such as intrusion-prevention devices, should be built in, they said.

LAS VEGAS—For the third year in a row, security researchers Charlie Miller and Chris Valasek gave a talk at the Black Hat USA conference here about car hacking. Despite the high-profile recall of 1.4 million cars in 2015 after their talk, there are still risks in vehicles that can enable an attacker to take control of steering and brakes.
The highly anticipated talk at this year's Black Hat conference played out in front of a standing room-only audience that had gathered to hear the pair of researchers with their unique brand of onstage showmanship and drama. The two researchers, who now work for Uber, started off by recounting their previous two Black Hat talks in 2014 and 2015 that laid the groundwork for what they revealed this year.
In the 2014 attack, Miller and Valasek were able to discover how to manipulate some Controller Area Network (CAN) messages that handle some functions in the car. The limitation was that the commands could only be passed to a car that was either not moving or moving at less than 5 mph. In the 2015 attack, the researchers found a remote way into the vehicle via a flaw that Chrysler has since patched. Additionally, remote access was blocked by Sprint, which is the carrier used by Chrysler to enable its vehicles.
Miller quipped that Chrysler did a great job of patching and Sprint blocked access effectively, which hampered his and Valasek's efforts at further research, so they needed to find another way in.

The Chrysler Jeep vehicle they had also has a USB port, which Miller and Valasek were able to use to get Secure Shell (SSH) access to the CAN on the car. The simple password that the pair discovered to get access was "dtdonkey," but the pair joked they didn't know what that referred to.

From there, the pair spent a lot of time looking at the messages going across the CAN to see if they could, in fact, manipulate steering and brakes when the car was moving faster than 5 mph. The key challenge they initially found was a message conflicting issue, such that when they injected messaged into the CAN, the legitimate messages were still being sent. In some cases, the message contention could have just shut down the attacked system, not enabling anything to happen.
To solve the issue, Miller and Valasek came up with an approach they called BootROM Boogaloo. The Jeep and other vehicles have firmware that can be reflashed to enable software updating. By starting the firmware upgrade process while the car was still stationary, and then starting the car and injecting the fake messages via the USB, it was possible to bypass the 5-mph restriction. Additionally, the two researchers came up with a system they called "message unconfliction" to further trick the car's systems and block the legitimate messages in favor of the injection messages.
Miller and Valasek showed video of how they were able to manipulate the steering wheel and brakes by using the BootROM Boogaloo and "message unconfliction" approaches. In one of the test cases, the two researchers ended up putting their Jeep into a ditch on the side of a highway in Missouri, which elicited a loud roar of laughter from the audience.
Compared with the reaction to Miller and Valasek's 2015 research that led Chrysler to issue a vehicle recall, the response to this year's attack was more muted.
"Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles," Chrysler said in a statement.
Miller said that Chrysler essentially told them that since the attack isn't remote and isn't easily executed there is no immediate concern. Both Miller and Valasek shrugged, commenting that vendors need to build secure technology into cars.
At the core, the simple fix for all the issues outlined by Miller and Valasek in the 2016 talk is the same fix they first proposed in 2014, namely an intrusion-prevention device for cars. The pair also advocate the use of code-signing technology to help make sure only valid code runs on cars.
At a press conference following the talk, the researchers were asked why they did the research.
Although car hacking in the wild is largely impractical today, there are risks, Valasek said. "The main reason we're doing this is to get ahead of issues so it won't be a big problem," Valasek said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.